Social EngineeringThe Human Factor of Cyber Security

O u r W o r kDanish Institute of Fire and Security Technology

S O C I A L E N G I N E E R I N G

C Y B E R I N V E S T I G A T I O N I T F O R E N S I C S

P H Y S I C A L & E L E C T R O N I C

S E C U R I T Y

Future of Social EngineeringCurrent trends and future expectations on the phenomenon of Social Engineering.

Dogana3-year EU project with the aim of developing next generation Social Engineering attacks and mitigation methods.

Project SAVENational R&D project for The Royal Danish Defence College (FAK) on Social Engineering 2.0.

OverviewPresentation

01 02 03

I n t r o d u c t i o n t oS o c i a l E n g i n e e r i n g

Social Engineering

”Social Engineering is the art of getting someone to do something, they would not otherwise do – using psychological manipulation ,,

DEFINITION

Socia l Engineer ing Attack CycleSE Attack Cycle

SECycle

Execute attack by requiring the target to conduct an action, the target would not otherwise do.

3. Attack

Employing an exit strategy is typicallyonly required if the target is to be leftunsuspecious or if the attackers expectadditional contact with the target in the future.

4. Exit

Conduct the necessary research to understand the target at hand.

1. Reconnaissance

Initiate contact with the target based on the insights gained from the

reconnaissance phase.

2. Contact

Social Engineering 2.0

Social Engineering has evolved from the physical domain as a platform for elication of information to employing cyberspace as the new battleground. With new means of communications between individuals comes new attack vectors for the social engineer, including: phishing emails, smishing, CEO Fraud, Ransomware, etc.

NEW METHODS

P r o j e c t S A V E :Social Vulnerabil ity &

Assessment Framework

R&D for The Royal Danish Defence College

P r o j e c t S A V ENational Project

National project developed for the Royal Danish Defence College with the purpose of uncovering the threat of Social Engineering against critical national infrastructure (CNI) in Denmark.

• Development of advanced OSINT methods, deception planning and SE 2.0 attacks.

• Execution of simulated attacks against three companies that are directly part of, or supports, critical national infrastructre.

• The purpose is to uncover how vulnerable CNI is to Social Engineering 2.0 attacks and disseminatethe results of the study.

SAVE: Reconnaissance

• Crawling of email addresses• Social media personality profiling (sentiment analysis)• Social Network Analysis (SNA)• Systemic network footprinting (Maltego, metadata)• Darknet investigation for leaked/sold information

ReconnaissanceProject SAVE

• Crawled from the companies’ own websites

• Crawled from open sources• Indexed results from Google• Indexed documents

Email crawling:

ReconnaissanceProject SAVE

• Crawled content targets’ facebook profiles• Coded a script• Emulated human browsing with Selenium to avoid crawling

countermeasures

• Conducted sentiment analyses of the content using a ‘bag of words’ approach

• Based on the sentiment analyses we categorized the users’ in the ‘Big Five’ personality framework

Sentiment Analysis & Personality Profiling:

ReconnaissanceProject SAVE

IP Network footprinting and Metadata Analysis:

ReconnaissanceProject SAVE

• Systematic analysis of information sold on Darknet

• Correlated sold information on +45 darknet markets for the involved companies in the study

• We could not request information

Darknet Investigation Methods:

Reconnaissance Resul tsProject SAVE

• ID layout for business deals• ID of stakeholders and voting rights within the organisation• ID of critical database system and how to access it• ID of complete guide to the database• ID of users with access to the database• Full list of emails and phone numbers

Critical Results from the Recon Phase:

Reconnaissance Resul tsProject SAVE

• ID of useful information from metadata, incl. long list of software in use

• Design of Guest ID Card• Social network analysis revealed critical nodes within the

company network, which were highly interconnected, makingthem ideal targets for a SE attack

Critical Results from the Recon Phase:

• Phishing emails• Spear-phishing emails• Credential harvesting• Whaling• Smishing• Evil USB• PDF attack

SAVE: Attack Vectors

Executed AttacksProject SAVE

Three companies that are either directly, or support, critical infrastructure in Denmark participated.

Objective is to target CNI

Complete cyber reconnaissance of the companies and select employees.

Conduct Cyber Reconnaissance

A total of 185 SE 2.0 attacks were executed as part of the field trial testing.

185 social engineering 2.0 attacks

Vector

Target#1

Target#2

Target#3

Spear-Phishing

3

1

3

Whaling

1

1

3

ConventionalPhishing

2

4

146

Smishing

3

5

9

USBAttack

0

0

3

PDFattack(follow-up)

1

2(3)

0

Aggregated Resul tsProject SAVE

47 pct. of all executed SE 2.0 attacks were successful

in convincing the targets to click on phishing links or execute a file. Criteria for success was dependent on the registration of the attempt on our web server log.

Successful Attacks

A little more than half of all executed attacks were

unsuccessful in the study. From qualitative interviews with some of the targets, we can conclude that minor details in the wording, the sender spoofed, and/or lack

of information (e.g. a phone number in the email) were the reasons behind their lack of trust in the email.

Failed Attempts

47%

53%

47%

53%

Success Rate of SE 2.0 Attacks

D o g a n a :Advanced Social Engineering and

Vulnerabil ity Assessment Framework

R&D For The EU Commission

The Dogana Consort iumThe Dogana Project

18 partners from 11 countries in a 3-year Horizon 2020 project about advanced Social Engineering 2.0.

Partners

http://www.dogana-project.eu

The Dogana Project

Developing a next generation platform for social vulnerability assessment via simulated attacks.

Next Generation SE Attacks

Using innovative awareness methods to mitigate the risk of social engineering.

Innovative Awareness Methods

Full scale field trial testing of the platform, testing +1,000 of employees to evaluate the recon, attack and awareness phases.

Full Scale Field Trials

http://www.dogana-project.eu

Overview of Dogana

Dogana Plat formThe Dogana Project

End2End platform, which embodies both advanced reconnaissance methods for uncovering the digital shadow of targets as well as psychological profiling.

End-to-End SE Platform

The advanced recon methods are integrated into a one-stop platform where full assessment of targets can be conducted.

Adv. Recon and Assessment of Targets

The platform integrates social engineering 2.0 attackvectors, thus becoming a holistic attack solution for conducting socially driven vulnerability assessments of companies.

Integrated SE 2.0 attacks

http://www.dogana-project.eu

Innovat ive Awareness MethodsThe Dogana Project

Gamification is the concept of using serious games as a delivery method for improving the securityconsciousness of the recipients.

Gamification

Serious games are interactive and can be either single-or multi-player. Serious games can prove to be more effective than conventional learning methods.

Interactive learning

2 min. of playing a game every day for six months contra spending 6 hours at a frontal lecture once every sixth month. Which has the greatest impact in maintaining security consciousness for the recipient over time?

Less is more

http://www.dogana-project.eu

F u t u r e o f S o c i a l E n g i n e e r i n g

Introducing SNAP_RFuture of SE

SNAP_R auto-analyses and selects targets, and generates proper and relevant responses to tweets, which inclulde a phishing link.

Aut. E2E Spear Phishing on Twitter

It utilizes deep learning for analysing data from users and data about users, in order to select the most susceptible targets to spear phishing attacks.

Neural Network / Deep Learning

Given that grammatical errors are widely accepted on twitter, that the tweet is limited to 140-characters and that URLs are almost always shortened, the SNAP_R gets away with most of the obstacles of machine learning for automated spear phishing attacks.

Deception through Obfuscation

Introducing SNAP_RFuture of SE

SNAP_R is up to five times as effective compared to other automated spear phishing bots, which typically has a success rate ranging from 5% to 14%. However, SNAP_R reports success rates ranging from 30% and 66%. Manually constructed spear phishing attacks has an average success rate of 45%.

5x More EffectiveSNAP_R is open source and available for everyone to test. The script can be found on Github:

https://github.com/getzerofox/SNAP_R

Open Source

Example

IoT RansomwareFuture of SE

IoT ransomware is no longer hypothetical. We foresee a development in ransomware attacks moving to IoT as soon as more standards are implemented in the making of IoT devices.

Internet of Things Ransomware

When all of your devices become connected to the Internet, ransomware attacks will be able to move from focusing on locking access to data to locking access to your actual devices.

From Digital to Physical Lockdown

• Your Smart Car• Your Smart Home• Pacemakers• Hospital Equipment• Real Examples: Smart Thermostat & Smart TV

Examples

T h a n k y o u

Dennis HansenEmail: deh@dbi-net.dkTel.: +45 31 53 43 44